From 9fc289d7396dafcd115c3d4d6697e21859f2cacb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= Date: Sat, 14 Mar 2026 02:15:02 +0000 Subject: [PATCH] =?UTF-8?q?fix(back):=20index=20=E9=A1=B5=20back=20?= =?UTF-8?q?=E6=A0=A1=E9=AA=8C=E6=8B=92=E7=BB=9D=20nested=20back=20+=20?= =?UTF-8?q?=E8=B0=83=E6=95=B4=E5=A4=96=E9=93=BE=E6=96=AD=E8=A8=80=E6=8A=A4?= =?UTF-8?q?=E6=A0=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...nPlatformOrderIndexBackLinkNotEscapedTest.php | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/tests/Feature/AdminPlatformOrderIndexBackLinkNotEscapedTest.php b/tests/Feature/AdminPlatformOrderIndexBackLinkNotEscapedTest.php index 566bd6f..d1dc39a 100644 --- a/tests/Feature/AdminPlatformOrderIndexBackLinkNotEscapedTest.php +++ b/tests/Feature/AdminPlatformOrderIndexBackLinkNotEscapedTest.php @@ -32,14 +32,18 @@ class AdminPlatformOrderIndexBackLinkNotEscapedTest extends TestCase ->assertSee('href="' . $back . '"', false); } - public function test_index_should_not_show_back_link_when_back_is_external_url(): void + public function test_index_should_not_render_back_href_when_back_is_external_url(): void { $this->loginAsPlatformAdmin(); - $this->get('/admin/platform-orders?back=' . urlencode('https://evil.example.com/?x=1&y=2')) - ->assertOk() - // 页面仍会出现“返回上一页(保留上下文)”文案(其它位置也有,例如治理SOP卡提示), - // 因此这里改为断言:不应出现该 external back 的 href。 - ->assertDontSee('href="https://evil.example.com/?x=1&y=2"', false); + $evil = 'https://evil.example.com/?x=1&y=2'; + + $res = $this->get('/admin/platform-orders?back=' . urlencode($evil)); + $res->assertOk(); + + // 页面可能在其它位置出现“返回上一页(保留上下文)”文案,因此不做纯文本否定断言。 + // 关键护栏:不应渲染任何指向外部 URL 的 back href。 + $res->assertDontSee('href="' . $evil . '"', false); + $res->assertDontSee('href="' . str_replace('&', '&', $evil) . '"', false); } }